software supply chain security company Phylum has found 451 Python packages published on the official PyPI repository that are associated with the clipper malware campaign

Recently, the software supply chain security company Phylum has uncovered a major malware campaign targeting open-source software developers. The attack, codenamed “Clipper”, is a form of supply-chain attack where malicious code is inserted into legitimate open-source packages and subsequently reused by unsuspecting developers.

The Clipper attack was discovered after Phylum researchers found 451 Python packages published on the official PyPI repository that are associated with the campaign. These malicious packages were identified by the presence of a cryptominer, which tries to siphon away computing resources for Bitcoin mining.

The attack was made possible by the malicious actors using a technique known as “dependency confusion”. This basically involves uploading a malicious version of a popular package to the PyPI repository, which then overwrites the original package when it is downloaded by the developer.

To combat this attack, the PyPI team has implemented a system where packages with the same name are reviewed and validated by the repository admins before being published. In addition, the team is also actively monitoring the repository for suspicious packages and removing them when found.

Ultimately, it is important for developers to be aware of the threats that open-source packages can pose and to take steps to ensure that the packages they use are secure. It is also important for developers to be aware of the techniques that malicious actors can use to insert malicious code into legitimate packages and to stay up to date with changes in the PyPI repository.